--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 10:14:16 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 10:40:48 2023 +0200
@@ -480,6 +480,13 @@
return oauth_error("invalid_grant", "invalid refresh token");
end
+ local refresh_token_client = refresh_token_info.grant.data.oauth2_client;
+ if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then
+ module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash,
+ refresh_token_client.name, refresh_token_client.hash);
+ return oauth_error("unauthorized_client", "incorrect credentials");
+ end
+
local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
if params.scope then